2018 is just finished and we decided to look back at it. From the many news that did the headlines this year, we’ve summed up 8 main elements about 2018. Here’s our year in review for web security.
1/ So many data breaches
Figures for 2018 are not known yet, but already on the first half were 944 data breaches listed (source). Despite raising awareness on cybersecurity, data breaches are still numerous.
In some cases, data compromised went further than the “classic” email / password / credit card number loss: For example, Marriott breach included passport numbers, the Aadhaar breach biometrics data… It has a major impact on the people whose data were compromised, and on the image of the companies concerned.
2/ Ransomware real troublemakers
As many companies as public organisations are targeted by ransomware. The risk is known after the WannaCry / NotPetya campaigns of 2017, and it is still present.
Some organisations had a difficult time under a ransomware attack this year. For instance, the city of Atlanta was blocked for 5 days, the airport of Bristol for 2 days (and the images of the whiteboards for the timetables did the headlines), the new cable car of Moscow for almost 2 days too, etc.
3/ Cryptocurrency-related attacks were trendy
As cryptocurrencies were popular and their prices continued to raise, they were more and more attractive for malicious attackers. Some attacks targeted wallets or marketplaces in order to get immediately money, meanwhile other attacks were cryptomining malwares, that mine money for the attacker. Cryptominers even outnumbered ransomwares in the first semester 2018 (Skybox Report Vulnerability Threat Trends 2018 Mid-Year Update, p. 11).
If the rate of cryptocurrencies keeps lowering in 2019, the related attacks should go down rapidly.
4/ Social engineering: top-vector attack
Although almost everyone knows phishing or telephone attacks, most people either believe these attacks would be easy to spot and they don’t fear it, or they think it is too sophisticated to be largely used and therefore it will never happen to them.
But on the contrary, attacks using social engineering methods are more and more common, and have impressive success rates for the attackers. Proofpoint estimates that “as many as 95% of Web-based attacks now incorporate social engineering” (The human factor – 2018, p. 14).
5/ Two web security changes for users
HTTPS is becoming the reference protocol communication. Chrome displayed since July HTTP site as “not secured”, which quickens the adoption of HTTPS.
The two-factor authentication (2FA) is widely offered by websites, highlighting the importance of credentials. However, it takes some time for users to adopt this authentication method.
6/ Biometric identification systems are not infallible
Identification systems using fingerprints, voices, faces are often presented as “the” secure authentication solution. However, security researchers have demonstrated that these systems can be fooled with finger moulds, replaying the voices or 3D copies of faces. MasterPrints are also currently being researched, that would match with a large number of fingerprints.
7/ GDPR entered into force
Even if the GDPR (General Data Protection Regulation) is in application since May 25th, compliance process is still ongoing by many companies. Meanwhile, the first fines have already been given to a hospital in Portugal and to a social media provider in Germany.
Similar laws are been studied in other countries; for example, California has already adopted its Consumer Privacy Act.
8/ Cybersecurity is more and more a legislative subject
Regulatory authorities are more and more getting involved in the cybersecurity question. In 2018, we have seen:
- the CLOUD Act in the USA, facilitating for authorities to access to communications’ content and data hold by U.S. companies, regardless where these data are stored;
- the Assistance and Access Act in Australia, that compels IT firms to build a possibility for authorities to access encrypted data;
- the Directive on Security of Network and Information Systems (directive NIS) and the GDPR in the European Union, that are raising the global cybersecurity level.
Let’s see now what 2019 has for us. Above all, we wish you all a secure 2019!